Home

Description

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.

PUBLISHED Reserved 2026-04-13 | Published 2026-06-08 | Updated 2026-06-09 | Assigner VulnCheck




HIGH: 7.7CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
affected

2.9.14 (semver)
affected

a5db5ed156355e3088e7d1ceb0533d4bae922def (git)
unaffected

Credits

Yassine Damiri finder

References

github.com/NginxProxyManager/nginx-proxy-manager/pull/5498 issue-tracking

github.com/...ommit/a5db5ed156355e3088e7d1ceb0533d4bae922def patch

www.vulncheck.com/...thenticated-rce-via-setupcertbotplugins third-party-advisory

cve.org (CVE-2026-40519)

nvd.nist.gov (CVE-2026-40519)

Download JSON